JP2009282849A - Microcomputer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To determine which of duplicated ECC circuits is wrong. <P>SOLUTION: Every time data are read from a memory (10), a first CPU (21) determines whether or not non-correspondence is detected from the result of comparison in a first comparison circuit (51), prescribed data for generating an ECC error are written to the memory on the basis of the determination, and processing to determine the failure of a first ECC circuit (41) from the failure of a second ECC circuit (42) is performed. According to the processing, the failure of the first ECC circuit and the failure of the second ECC circuit are discriminated, so that it can be determined which of the duplicated ECC circuits (41, 42) is wrong. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a microcomputer having an error correction function based on ECC (Error Correction Code), and further relates to a diagnostic technique for the ECC function in the microcomputer.

  ECC refers to redundant data that is added separately from the original data to correct data errors when data is read from a storage device or the like. The error correction function by ECC is used in the field of computers and communications. It is an error correction technology that has been introduced. When certain information is read from the memory or received, an error in the information can be detected and one bit of the minimum unit can be automatically corrected. In order to improve the reliability of the data read from the memory in a microcomputer, it is effective to add ECC to data such as a program and record it, and to perform error correction using the ECC for the read data It is said. Hardware for realizing the ECC function is referred to as an ECC circuit. In this ECC circuit, error check processing is performed on read data with ECC, and if there is an error in the read data, the error is corrected. When the error correction is completed, the ECC is unnecessary and is deleted.

  For example, a microcomputer used in an automobile control system performs important control by a control program. If the stored contents of the program storage memory for storing the control program change for some reason, the microcomputer cannot perform correct control, which may lead to a dangerous state. Accordingly, high reliability is required for the ECC error correction function of the microcomputer used in the control system of the automobile, and the ECC circuit itself needs to be diagnosed.

  However, in order to diagnose the ECC circuit, it is necessary to compare the data read through the ECC circuit with the expected value, and to derive the data based on the logical expression constituting the ECC circuit. Various combinations must be considered, and the software becomes complicated. If the software becomes complicated, it may cause new problems. Therefore, it is conceivable to duplicate the ECC circuit and detect whether or not the output signals of the two ECC circuits match with a comparator such as a comparator (for example, see Patent Document 1).

Japanese Patent Laid-Open No. 4-153838

  However, in the configuration in which the ECC circuit is duplicated and the comparator or the like detects whether or not the output signals of the two ECC circuits match, the above comparator cannot detect the mismatch of the output signals of the two ECC circuits. However, it cannot be determined which of the duplicated ECC circuits is faulty. Further, it is conceivable to forcibly reset as a process when a mismatch is detected by the comparator. For example, in the case of a microcomputer used in a control system of an automobile, the peripheral circuit and the microcomputer are reset. If the processing in various peripheral circuits connected to the outside of the device is undesirably interrupted and the control target runs away, a dangerous state may be caused.

  An object of the present invention is to provide a technique that makes it possible to determine which of the duplicated ECC circuits has failed.

  Another object of the present invention is to provide a technique for determining which of the duplicated ECC circuits has failed and improving the reliability of the microcomputer based on the determination result.

  The above and other objects and novel features of the present invention will be apparent from the description of this specification and the accompanying drawings.

  A representative one of the inventions disclosed in the present application will be briefly described as follows.

  That is, every time data is read from the memory, the first CPU determines whether or not a mismatch has been detected from the comparison result in the first comparison circuit, and based on this, a predetermined error for generating an ECC error in the memory is determined. Data is written, and processing for discriminating between the failure of the first ECC circuit and the failure of the second ECC circuit is executed. By the above processing, the failure of the first ECC circuit and the failure of the second ECC circuit are discriminated, and this makes it possible to determine which of the duplicated ECC circuits has failed.

  The effects obtained by the representative ones of the inventions disclosed in the present application will be briefly described as follows.

  That is, it is possible to determine which of the duplicated ECC circuits has failed. Also. It is possible to determine which of the duplicated ECC circuits has failed, and to improve the reliability of the microcomputer based on the determination result.

1. Representative Embodiment First, an outline of a typical embodiment of the invention disclosed in the present application will be described. The reference numerals in the drawings referred to with parentheses in the outline description of the representative embodiments merely exemplify what are included in the concept of the components to which the reference numerals are attached.

  [1] A microcomputer (1) according to a typical embodiment of the present invention includes a memory (10) including a data mat and an ECC mat, and writes data to each of the data mat and the ECC mat of the memory. A readable memory interface (31, 32) and a first ECC circuit (41) that performs error check of data read from the memory and corrects the error of the read data when there is an error. included. Further, an error check of the data read from the memory is performed, and if there is an error in the read data, a second ECC circuit (42) for correcting the error of the data and the first ECC incorporating the first ECC circuit. A first bus (61) capable of transmitting data obtained via the memory interface (31) and a second bus capable of transmitting data obtained via the second memory interface (32) incorporating the second ECC circuit. 2 buses (62). Further, the first CPU (21) coupled to the first bus and capable of processing the data captured via the first bus, and the second CPU coupled to the second bus and captured via the second bus. A second CPU (22) capable of processing data, and a first comparison circuit (51) capable of comparing whether or not the output information of the first ECC circuit matches the output information of the second ECC circuit. It is. Each time data is read from the memory, the first CPU determines whether or not a mismatch is detected based on the comparison result in the first comparison circuit. Failure diagnosis processing for writing predetermined data for generating an ECC error in each of the data mat and the ECC mat of the memory and then reading the data so as to distinguish between the failure of the first ECC circuit and the failure of the second ECC circuit (S209 to S222) are executed.

  Each time data is read from the memory, the first CPU determines whether or not a mismatch has been detected based on the comparison result of the first comparison circuit. If a mismatch is detected, the failure diagnosis is performed. By the processing failure diagnosis processing (S209 to S222), the failure of the first ECC circuit and the failure of the second ECC circuit are determined. This makes it possible to determine which of the duplicated ECC circuits has failed.

  [2] In the above [1], when the failure diagnosis processing by the first CPU grasps the mismatch detection based on the comparison result in the first comparison circuit, predetermined data for generating an ECC error is stored in the memory. After writing to each of the data mat and the ECC mat, the data mat is read out, and the predetermined data transmitted through the first ECC circuit and the first bus is compared with an expected value after error correction of the predetermined data. Based on the comparison result, it is possible to include a process that makes it possible to discriminate between the failure of the first ECC circuit and the failure of the second ECC circuit.

  [3] In [1], the first read data read from the memory and transmitted via the first ECC circuit and the first bus, and read from the memory, the second ECC circuit, and the A second comparison circuit (52) that can compare whether the second read data transmitted through the second bus matches or not can be included. In that case, in the failure diagnosis processing by the first CPU, when the mismatch detection is grasped based on the comparison result in the first comparison circuit, the predetermined data for generating the ECC error is set as the data mat of the memory and the ECC. After writing to each of the mats, reading it, comparing the predetermined data transmitted via the first ECC circuit and the first bus with the expected value after error correction of the predetermined data, and the comparison result; Including a process that makes it possible to discriminate between the failure of the first ECC circuit and the failure of the second ECC circuit based on the comparison result of the first comparison circuit and the comparison result of the second comparison circuit. it can.

  [4] In the above [3], in the failure diagnosis process, the predetermined data does not match an expected value after error correction of the predetermined data, and the first read data and the second read data are If they do not match, the first process (S219) for determining that the first ECC circuit has failed, the predetermined data and the expected value after error correction of the predetermined data match, and the first ECC circuit If the error check result does not match the error check result in the second ECC circuit, a second process (S215) for determining that the second ECC circuit has failed can be included.

  [5] In [4], when the first CPU (21) determines that the second ECC circuit has failed in the failure diagnosis process, the first CPU (21) executes a system stop process for transitioning to a safe state even if reset. (S216), and thereafter, it can be configured to shift to a reset process (S219).

  Thus, by executing the safe system stop process before resetting and shifting to the reset process after the process is completed, the reliability of the entire system can be further improved.

  [6] In the above [4], the first CPU can be configured to promptly transition to a reset process when it is determined in the fault diagnosis process that the first ECC circuit has failed.

  [7] According to another aspect, in another microcomputer (1) according to a representative embodiment of the present invention, the first CPU uses predetermined data for generating an ECC error as data in the memory. After writing to each of the mat and the ECC mat, it is read, and the predetermined data transmitted through the first ECC circuit and the first bus is compared with an expected value after error correction of the predetermined data, and the comparison Based on the result, it is possible to perform an error injection process (S202, S310 to S320) that makes it possible to distinguish between the failure of the first ECC circuit and the failure of the second ECC circuit.

  [8] In the above [7], the error injection processing can be configured to be periodically executed at predetermined time intervals.

  [9] In the above [7], the error injection process may be executed due to a power-on reset due to the start of energization of the microcomputer.

  [10] In the above [7], the error injection process may be executed due to resetting of the microcomputer.

2. Next, the embodiment will be described in more detail.

  FIG. 4 shows a microcomputer according to the present invention (sometimes referred to as a microcontroller or a microprocessor). The microcomputer 1 shown in FIG. 4 is not particularly limited, but is mounted on a control system of an automobile, and is formed on one semiconductor substrate such as a single crystal silicon substrate by a known semiconductor integrated circuit manufacturing technique. The microcomputer 1 is not particularly limited, but includes a first interrupt controller 11, a second interrupt controller 12, a memory 10, a first CPU (central processing unit) 21, a second CPU 22, a first memory interface 31, a second memory interface 32, A first comparison circuit 51, a second comparison circuit 52, a PWM timer 54, an SCI (Serial Communication Interface) 55, a CAN (Controller Area Network) 56, and an AD converter 57 are included.

  Each of the first CPU 21 and the second CPU 22 executes predetermined arithmetic processing according to a program loaded in the memory 10. When the first CPU 21 is a main CPU, the second CPU 22 is a sub CPU. The first interrupt controller 11 performs an interrupt process for the first CPU 21, and the second interrupt controller 12 performs an interrupt process for the second CPU 22. The first CPU 21 is coupled to the first CPU bus 61, and enables various data, address signals, and control signals to be exchanged via the first CPU bus 61. The second CPU 21 is coupled to the second CPU bus 62, and allows various data, address signals, and control signals to be exchanged via the second CPU bus 62. The memory 10 is a random accessible RAM (random access memory), and stores programs executed by the first CPU 21 and the second CPU 22 and various data necessary for executing the programs. The memory 10 is coupled to the first CPU bus 61 via the first memory interface 31. The memory 10 is coupled to the second CPU bus 62 via the second memory interface 32. The first memory interface 31 and the second memory interface 32 have an ECC (Error Correction Code) circuit built therein, and an error check is performed on the data read from the memory, and there is an error in the read data. The error correction of the data is performed. The first memory interface 31 has a function of writing data to each of the data mat 10A and the ECC mat 10B of the memory 10. The first comparison circuit 51 compares whether or not the error check result in the first memory interface 31 matches the error check result in the second memory interface 32. The second comparison circuit 52 compares the read data output to the first CPU bus 61 via the first memory interface 31 and the read data output to the second CPU bus 62 via the second memory interface 32. To do. A peripheral bus 63 is coupled to the first CPU bus 61 via a bus bridge 53. A PWM timer 54, SCI 55, CAN 56, and AD converter 57 are coupled to the peripheral bus 57. The PWM timer 54 generates a PWM pulse and changes the duty ratio of the PWM pulse. The PWM timer 54 includes a RAM capable of setting the duty value pattern of the PWM pulse and a PWM controller capable of generating a PWM pulse. The PWM controller includes a PWM counter, and the unit waveform of the PWM pulse is generated by a compare match between the duty value in the RAM and the output value of the PWM counter, and the next duty value is set for each compare match. By loading from the RAM without CPU intervention, the duty value of the PWM pulse can be changed over time. The SCI 55 enables serial communication with the outside. The CAN 56 allows various information to be exchanged in the control area network via a predetermined port. The AD converter 57 converts an analog signal transmitted from a sensor or the like into a digital signal that can be processed by the microcomputer 1.

  FIG. 1 shows a detailed configuration example of a main part of the microcomputer shown in FIG.

  The memory 10 is provided with a data mat 10A for storing data and an ECC mat 10B for storing ECC corresponding to the data stored in the data mat 10A. When data is read from the data mat 10A, the corresponding ECC is read from the ECC mat 10B. The first memory interface 31 has a function of allowing predetermined data to be written in each of the data mat 10A and the ECC mat 10B.

  The first memory interface 31 performs an error check on the data read from the memory 10 based on the corresponding ECC, and automatically corrects one bit of the minimum unit when an ECC error occurs. The first ECC circuit 41 for performing the error and the first error address for temporarily holding an address (referred to as an “error address”) in the memory 10 in which the data related to the error is stored when an ECC error occurs Register 71. The result of the error check is reflected in the ECC error information. This ECC error information is 1-bit flag information and is held in an appropriate register in the first memory interface 31. The ECC error information is not particularly limited, but has a logical value “1” when an ECC error has occurred, and has a logical value “0” when no ECC error has occurred. Information held in the first error address register 71 (error address) is output to the first CPU 21 via the first CPU bus 61. The read data from the memory 10 (data corrected when an ECC error occurs) is output to the first CPU bus 61 and the first comparison circuit 51. Also, ECC error information indicating the presence or absence of an ECC error is output to the first comparison circuit 51 and the interrupt controllers 11 and 12. Write data (data with ECC) to the memory 10 is transmitted from the first CPU bus 61 to the data mat 10A and the ECC mat 10B of the memory 10 via the first memory interface 31.

  The second memory interface 32 performs an error check based on the same data and ECC read from the memory 10 and supplied to the first memory interface 31, and when an ECC error occurs, A second ECC circuit 42 for automatically correcting one bit of the minimum unit, and when an ECC error occurs, an address (referred to as an “error address”) in the memory 10 in which data relating to the error is stored is temporarily stored. And a second error address register 72 for holding the data. The result of the error check is reflected in the ECC error information. This ECC error information is 1-bit flag information and is held in an appropriate register in the first memory interface 31. The ECC error information is not particularly limited, but has a logical value “1” when an ECC error has occurred, and has a logical value “0” when no ECC error has occurred. Information held in the second error address register 72 (error address) is output to the second CPU 22 via the second CPU bus 62. Data read from the memory 10 (data corrected in the case of an ECC error) is output to the second CPU bus 62 and the second comparison circuit 52. Also, ECC error information indicating the presence or absence of an ECC error is output to the second comparison circuit 52. The ECC error information is not particularly limited, but is output as a logical value “1” when an ECC error occurs as in the case of the output from the first memory interface 31, and when no ECC error occurs. Is a logical value “0”. The first comparison circuit 51 includes a comparator 511 for comparing the read data output from the first memory interface 31 with the read data output from the second memory interface 32, and the first memory interface 31. A comparator 512 for comparing the ECC error information output from the second memory interface 32 with the ECC error information output from the second memory interface 32, and an OR gate 513 for obtaining a logical sum of the output signals of the comparators 511 and 512. including. When the first ECC circuit 41 and the second ECC circuit 42 are operating normally, the read data output from the first memory interface 31 and the read data output from the second memory interface 32 match. The ECC error information output from the first memory interface 31 matches the ECC error information output from the second memory interface 32. In this case, the output signals of the comparators 511 and 512 both have a logical value “0”, and the output of the OR gate 513 also has a logical value “0”. On the other hand, when the read data output from the first memory interface 31 and the read data output from the second memory interface 32 do not match, the output signal of the comparator 511 has a logical value “1”. When the ECC error information output from the first memory interface 31 and the ECC error information output from the second memory interface 32 do not match, the output signal of the comparator 512 has a logical value “1”. Therefore, when the output signal of the logical sum gate 513 is a logical value “0”, both the first ECC circuit 41 and the second ECC circuit 42 are operating normally, and the output signal of the logical sum gate 513 (first comparison) If the output signal of the circuit 51 is a logical value “1”, the first ECC circuit 41 or the second ECC circuit 42 may be broken. The output signal of the OR gate 513 is transmitted to both the first interrupt controller 11 and the second interrupt controller 12 as a mismatch detection signal.

  The second comparison circuit 52 includes read data transmitted via the first memory interface 31 and the first CPU bus 61, and read data transmitted via the second memory interface 32 and the second CPU bus 62. Is included. If the two data match, the output signal of the comparator 521 has a logical value “0”. If the two data do not match, the output signal of the comparator 521 has a logical value “1”. The output signal of the comparator 521 is transmitted to both the first interrupt controller 11 and the second interrupt controller 12 as a mismatch detection signal.

  The first interrupt controller 11 takes in ECC error information from the first memory interface 31, a mismatch detection result from the first comparison circuit 51, and a mismatch detection result from the second comparison circuit 52, and has a predetermined priority. Interrupt control for the first CPU 21 is performed according to the order.

  The second interrupt controller 12 takes in ECC error information from the second memory interface 32, a mismatch detection result from the first comparison circuit 51, and a mismatch detection result from the second comparison circuit 52, and has a predetermined priority. Interrupt control for the second CPU 22 is performed according to the order.

  The first CPU 21 acquires read data (including instructions) from the memory 10 via the first CPU bus 61 and executes predetermined arithmetic processing. Also, write data to the memory 10 is output to the first memory interface 31 via the first CPU bus 61. The first CPU 21 executes predetermined interrupt processing in response to an interrupt request from the first interrupt controller 11.

  The second CPU 22 acquires read data (including instructions) from the memory 10 via the second CPU bus 62 and executes predetermined arithmetic processing. Also, write data to the memory 10 is output to the second memory interface 32 via the second CPU bus 62. The second CPU 22 executes a predetermined interrupt process in response to an interrupt request from the second interrupt controller 12.

  The mismatch detection result from the first comparison circuit 51 and the mismatch detection result from the second comparison circuit 52 are also transmitted to the first CPU 21 and the second CPU 22. Accordingly, the first CPU 21 and the second CPU 22 can grasp the mismatch detection result in the first comparison circuit 51 and the mismatch detection result in the second comparison circuit 52.

  FIG. 2 shows a main processing flow in the microcomputer 1.

  The first CPU 21 and the second CPU 22 execute an instruction (program) acquired from the memory 10 to control, for example, an operation to be controlled in an automobile. At this time, the first CPU 21 and the second CPU 22 can exchange various information with the outside via the SCI 55 and the ACN 56. In addition, analog signals from various sensors can be taken in via the AD converter 57. Further, the PWM timer 54 is controlled to change the duty ratio of the PWM pulse. Such an operation is called “normal operation”. The microcomputer 1 can make a transition from normal operation to error injection processing as necessary. When the normal operation is performed in the main routine, the error injection process is performed in a subroutine. Such error injection processing is periodically performed at predetermined time intervals (for example, every 10 minutes) in order to further improve the reliability of the microcomputer 1. For example, the first CPU 21 and the second CPU 22 determine whether or not to perform an error injection process (S201). Based on this determination, the normal operation is shifted to the error injection process. The error injection processing will be described in detail later with reference to FIG.

  When the error injection process is finished and normal operation is resumed (S203), and memory access by the first CPU 21 and the second CPU 22 occurs (S204), it is determined whether or not this memory access is a read access from the memory 10. In the case of read access (S205), mismatch detection is performed in the first comparison circuit 51 and the second comparison circuit 52 (S206). When a mismatch of the first comparison circuit 51 or a mismatch of the second comparison circuit 52 is detected by read access from the memory 10, the mismatch detection result is set to a logical value “1”, and the first interrupt is based on the result. The controller 11 and the second interrupt controller 12 generate an interrupt request to the first CPU 21 and the second CPU 22, respectively (S207). Upon receiving this interrupt request, the first CPU 21 and the second CPU 22 determine whether or not it is necessary to immediately reset the interrupt request (S208). If it is determined that there is no need to immediately reset the interrupt request, the process proceeds to failure diagnosis processing. This failure diagnosis process includes the processes of steps S209 to S222.

  The failure diagnosis process is performed as follows.

  When a mismatch is detected, the memory address where the mismatch occurred is held in the error address registers 71 and 72, so this error address is read by the first CPU 21 and the second CPU 22 (S209). Then, the first CPU 21 means predetermined data for generating an ECC error in each of the data mat 10A and the ECC mat 10B of the error address in the memory 10 (meaning data that becomes an ECC error when read). (Hereinafter referred to as “test data”) (S210). Then, the first CPU 21 holds an expected value when the test data for generating the ECC error is error-corrected by the first ECC circuit 41 in an appropriate register in the first CPU 21 (S211). Next, the first CPU 21 reads the test data from the memory 10 via the first memory interface 31 (S212). At this time, the first ECC circuit 41 performs error correction on the test data read from the memory 10. The first CPU 21 compares the test data that has been subjected to error correction by the first ECC circuit 41 with the expected value stored in an appropriate internal register in step S211 (S213). In this comparison, when it is determined that the test data subjected to error correction and the expected value do not match, it is determined whether or not the comparison result in the second comparison circuit 52 matches (S217). . In this determination, if it is determined that the comparison result in the second comparison circuit 52 is inconsistent, it is determined that the first ECC circuit 41 is out of order (S219). In this case, the reset by the first CPU 21 is performed. A transition is made to processing (S220). If it is determined in step S217 that the comparison results in the second comparison circuit 52 match, it is determined that the second comparison circuit 52 is out of order (S218), and a transition is made to reset processing by the first CPU 21. (S220). Further, if it is determined in step S213 that the test data subjected to error correction matches the expected value, it is determined whether or not the comparison result in the first comparison circuit 51 matches. (S214). In this determination, if it is determined that the comparison result in the first comparison circuit 51 is inconsistent, a failure of the second ECC circuit 42 is suspected (S215), but the first ECC circuit 41 is normal and the first ECC circuit 41 is normal. Since correct data can be acquired via the one memory interface 31, it is not necessary to immediately shift to the reset process. Rather, a safe system stop process before reset is executed (S216), and reset is performed after the process is completed. (S220) is preferable in terms of improving the reliability of the entire system. Here, the “safe system stop process before reset” is an avoidance measure in the case of inconvenience when the system is reset immediately. For example, if the motor is currently under PWM control, the rotation of the motor A process for safely stopping can be mentioned. In addition, when communication is performed via the SCI 55 or the CAN 56, it may be better to wait for the reset until the communication ends. In such a case, the reset is waited until the communication ends. Can also be included in the “safe system stop process before reset” in step S216. Further, when A / D conversion processing of the input analog signal is performed by the A / D converter 57, processing for waiting for reset until the A / D conversion processing is completed is also performed in step S216. It can be included in “safe system stop processing before reset”.

  In the determination in step S214, if it is determined that the comparison results in the first comparison circuit 51 match, it is considered that a failure has been temporarily detected for some reason even though it is not a failure (S221). ), It is determined whether or not to reset (S222). If it is determined in this determination that reset is necessary (yes), the system is reset after performing a safe system stop process before reset (S216, S220). If it is determined in step S222 that no reset is required (no), the failure diagnosis process is terminated and normal operation is started (S203).

  By executing the fault diagnosis process, it is possible to determine which of the first CC circuit 41 and the second ECC circuit 42 is faulty, and in the case of a fault, the system is reset, so that an error occurs. Undesirable processing based on the data is avoided, and if necessary, safe system stop processing (S216) before a reset request is performed, thereby improving the reliability of operation control by the microcomputer 1. be able to.

  Next, the error injection process in step S202 will be described with reference to FIG. In the error injection process in step S202, test data for generating an ECC error is written in each of the data mat 10A and the ECC mat 10B of the memory 10 and then read out, and the first ECC circuit 41 and the first CPU bus are read out. The test data transmitted via the test data is compared with the expected value after error correction of the test data, and based on the comparison result, the failure of the first ECC circuit 41 and the failure of the second ECC circuit 42 are discriminated. This is basically the same process as the fault diagnosis process in FIG. However, the error injection process in step S202 is greatly different in that test data is written to each of the data mat and the ECC mat at an arbitrary address regardless of the presence or absence of read access to the memory 10 in the normal operation. To do. That is, in the error injection process of step S202, as shown in FIG. 3, the first CPU 21 generates test data for generating an ECC error in each of the data mat and the ECC mat at an arbitrary address in the memory 10. Writing is performed (S310). The first CPU 21 holds an expected value when the test data for generating the ECC error is error-corrected by the first ECC circuit 41 in an appropriate register in the first CPU 21 (S311). Next, the first CPU 21 reads the test data from the memory 10 via the first memory interface 31 (S312). At this time, the first ECC circuit 41 performs error correction on the test data read from the memory 10. The first CPU 21 compares the test data corrected by the first ECC circuit 41 with the expected value stored in the appropriate internal register in step S211 (S313). In this comparison, when it is determined that the test data subjected to error correction and the expected value do not match, it is determined whether or not the comparison result in the second comparison circuit 52 matches (S317). . In this determination, if it is determined that the comparison result in the second comparison circuit 52 is inconsistent, it is determined that the first ECC circuit 41 has failed (S319). In this case, the reset by the first CPU 21 is performed. A transition is made to processing (S320). If it is determined in step S317 that the comparison results in the second comparison circuit 52 match, it is determined that the second comparison circuit 52 is out of order (S318), and a transition is made to reset processing by the first CPU 21. (S320). Further, if it is determined in step S313 that the test data subjected to error correction and the expected value match, it is determined whether or not the comparison result in the first comparison circuit 51 matches. (S314). In this determination, if it is determined that the comparison result in the first comparison circuit 51 is inconsistent, it is determined that the second ECC circuit 42 has failed (S315), and a safe system stop process before resetting is performed ( (S316) After the completion of the process, the process proceeds to a reset process (S320). Here, the safe system stop process before resetting is a measure for avoiding inconvenience when the system is immediately reset, and a specific example thereof is the same as that in step 216 in FIG.

  If it is determined in step S314 that the comparison results in the first comparison circuit 51 match, the error injection process according to this subroutine is terminated, and the process returns to the main routine shown in FIG. Normal operation is started (S203).

  Such error injection processing is periodically executed at predetermined time intervals, so that it is possible to determine which of the first CC circuit 41 and the second ECC circuit 42 has failed, and in the case of a failure. By resetting the system, undesired processing based on error-related data is avoided, and if necessary, safe system stop processing (S316) before a reset request is performed, so that the microcomputer The reliability of the operation control by 1 can be improved.

  According to the above example, the following effects can be obtained.

  (1) Each time data is read out from the memory 10, the first CPU 21 determines whether an ECC error has occurred based on the comparison result in the first comparison circuit 52, and when an ECC error has occurred. The fault diagnosis process (S209 to S222) that makes it possible to discriminate between the failure of the first ECC circuit and the failure of the second ECC circuit causes any of the duplicated ECC circuits to fail. Can be determined.

  (2) If it is determined in step S217 that the comparison results in the second comparison circuit 52 match, it is determined that the second comparison circuit 52 is out of order (S218), and a transition is made to reset processing by the first CPU 21. (S220). Further, if it is determined in step S213 that the test data subjected to error correction matches the expected value, it is determined whether or not the comparison result in the first comparison circuit 51 matches. (S214). In this determination, if it is determined that the comparison result in the first comparison circuit 51 does not match, it is not necessary to immediately shift to the reset process, and a safe system stop process before the reset is executed (S216). After the processing is completed, the transition to the reset processing is performed (S220), so that the reliability of the entire system can be further improved.

  (3) Since the error injection process (S202) is periodically performed at predetermined time intervals, the reliability of the microcomputer 1 can be further improved.

  Although the invention made by the present inventor has been specifically described above, the present invention is not limited thereto, and it goes without saying that various changes can be made without departing from the scope of the invention.

  For example, the error injection process (S202) may be performed at the time of a power-on reset performed due to power-on or a reset process such as an interrupt. By doing so, the reliability of the microcomputer 1 can be further improved.

It is a block diagram of a detailed configuration example of a main part in the microcomputer according to the present invention. It is a flowchart which shows the flow of the failure diagnosis in the said microcomputer. It is a flowchart which shows the flow of the error injection process in the said microcomputer. It is a block diagram of an example of the overall configuration of the microcomputer.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Microcomputer 10 Memory 10A Data mat 10B ECC mat 11 1st interrupt controller 12 2nd interrupt controller 21 1st CPU
22 Second CPU
31 1st memory interface 32 2nd memory interface 41 1st ECC circuit 42 2nd ECC circuit 51 1st comparison circuit 52 2nd comparison circuit 61 1st CPU bus 62 2nd CPU bus

Claims (10)

A memory including a data mat capable of storing data and an ECC mat;
A first memory interface capable of writing data to each of the memory data mat and the ECC mat;
A first ECC circuit that performs an error check on the data read from the memory and corrects the error of the data if there is an error in the read data;
A second ECC circuit that performs an error check on the data read from the memory and corrects the error of the data if there is an error in the read data;
A first bus capable of transmitting data obtained via the first ECC circuit;
A second bus capable of transmitting data obtained via the second ECC circuit;
A first CPU coupled to the first bus and capable of processing data captured via the first bus;
A second CPU coupled to the second bus and capable of processing data captured via the second bus;
A first comparison circuit enabling comparison of whether the output information of the first ECC circuit and the output information of the second ECC circuit match,
Each time data is read from the memory, the first CPU determines whether or not a mismatch is detected based on the comparison result in the first comparison circuit. If a mismatch is detected, the first CPU Predetermined data for generating an ECC error is written in each of the data mat and the ECC mat, and a failure diagnosis process is executed that enables discrimination between the failure of the first ECC circuit and the failure of the second ECC circuit. A microcomputer characterized by.   The failure diagnosis process by the first CPU writes predetermined data for generating an ECC error to each of the data mat and the ECC mat of the memory when the inconsistency detection is grasped based on the comparison result in the first comparison circuit. Thereafter, it is read out, the predetermined data transmitted through the first ECC circuit and the first bus is compared with an expected value after error correction of the predetermined data, and the first ECC is determined based on the comparison result. The microcomputer according to claim 1, further comprising a process that makes it possible to discriminate between a circuit failure and a failure of the second ECC circuit. First read data read from the memory and transmitted via the first ECC circuit and the first bus, and read from the memory and transmitted via the second ECC circuit and the second bus A second comparison circuit that enables comparison of whether or not the second read data matches,
In the failure diagnosis processing by the first CPU, when an ECC error is grasped based on the comparison result of the first comparison circuit, predetermined data for generating the ECC error is written in each of the data mat and the ECC mat of the memory. Thereafter, it is read out, the predetermined data transmitted via the first ECC circuit and the first bus is compared with an expected value after error correction of the predetermined data, and the comparison result is compared with the first comparison circuit. The microcomputer according to claim 1, further comprising: a process that makes it possible to distinguish between a failure in the first ECC circuit and a failure in the second ECC circuit based on the comparison result in step 1 and the comparison result in the second comparison circuit. . In the failure diagnosis process, if the predetermined data does not match the expected value after error correction of the predetermined data, and the first read data and the second read data do not match, the first ECC A first process for determining a circuit failure;
If the predetermined data and the expected value after error correction of the predetermined data match and the error check result in the first ECC circuit does not match the error check result in the second ECC circuit, the first data The microcomputer according to claim 3, further comprising: a second process for determining that the 2ECC circuit is faulty.   The said 1st CPU performs the system stop process for changing to a safe state even if it resets, when it is judged in the said fault diagnosis process that the said 2nd ECC circuit is faulty, Then, it changes to a reset process. The microcomputer as described.   The microcomputer according to claim 4, wherein when the first CPU determines that the first ECC circuit has failed in the failure diagnosis process, the first CPU promptly shifts to a reset process. A memory including a data mat capable of storing data and an ECC mat;
A first memory interface capable of writing data to each of the memory data mat and the ECC mat;
A first ECC circuit that performs an error check on the data read from the memory and corrects the error of the data if there is an error in the read data;
A second ECC circuit that performs an error check on the data read from the memory and corrects the error of the data if there is an error in the read data;
A first bus capable of transmitting data obtained via the first ECC circuit;
A second bus capable of transmitting data obtained via the second ECC circuit;
A first CPU coupled to the first bus and capable of processing data captured via the first bus;
A second CPU coupled to the second bus and capable of processing data captured via the second bus;
The first CPU writes predetermined data for generating an ECC error to each of the data mat and the ECC mat of the memory and then reads the predetermined data and transmits the predetermined data transmitted via the first ECC circuit and the first bus. The data is compared with the expected value after error correction of the test data, and based on the comparison result, an error injection process is executed that makes it possible to discriminate between the failure of the first ECC circuit and the failure of the second ECC circuit. A microcomputer characterized by being a thing.   8. The microcomputer according to claim 7, wherein the error injection process is periodically executed at predetermined time intervals.   8. The microcomputer according to claim 7, wherein the error injection process is executed due to a power-on reset caused by starting energization of the microcomputer.   8. The microcomputer according to claim 7, wherein the error injection process is executed due to a reset of the microcomputer.

Images